Drop a fully PCI-DSS SAQ A compliant hosted checkout into any web application in minutes. Card data is captured exclusively inside PSP-hosted iFrame SDKs — PayServ's servers never see raw cardholder data at any point.
PayServ Hosted Payments provides a pre-built, fully configurable checkout UI component that can be embedded into React, Angular, Vue, plain HTML, or any other web framework through a single JavaScript SDK call. The visual output is completely white-label — your brand, your colours, your domain.
Under the hood, the card number, CVV, and expiry fields are rendered as separate iFrame elements injected directly from the PSP's CDN. This means the card data lives in a completely separate browsing context that your application — and PayServ's servers — cannot read, intercept, or modify.
The three highlighted fields above are iFrame elements injected directly from the PSP's CDN. Neither PayServ nor the merchant application can access their contents via JavaScript or DOM inspection.
This section is provided for technical compliance reviewers at Stripe, Square, and acquiring banks assessing PayServ's CDE boundary.
The Square Web Payments SDK or Stripe.js library is loaded directly from cdn.squareup.com or js.stripe.com — not proxied or rehosted by PayServ. The browser establishes a direct TLS session to the PSP's CDN.
The SDK renders each sensitive input (card number, CVV, expiry) as a separate <iframe> element with an src pointing to a PSP-owned origin. The browser's same-origin policy prevents any parent-frame JavaScript from reading these field values.
On submit, the PSP SDK sends the card data over a direct HTTPS connection from the iFrame context to the PSP's tokenization endpoint. A short-lived, opaque payment token (nonce) is returned to the parent page — never the raw card data.
The payment token (nonce) is passed to PayServ's API. PayServ's server exchanges this nonce with the PSP to charge the underlying card. At no point does a PAN, CVV, or full expiry date transit PayServ's network or storage layer.
<!-- PayServ Hosted Payments SDK mount points -->
<!-- The PSP SDK populates each container with a cross-domain iFrame -->
<div id="card-container"></div> <!-- Card number iFrame -->
<div id="expiry-container"></div> <!-- Expiry iFrame -->
<div id="cvv-container"></div> <!-- CVV iFrame -->
<!-- On submit: nonce returned to your app. PAN never leaves PSP origin -->Custom colours, fonts, logos, and domain — the checkout looks and feels entirely like your brand, not PayServ's.
If the primary PSP is down, PayServ silently reroutes the checkout session to the next eligible gateway — invisible to the cardholder.
140+ currencies, automatic presentment currency detection, and real-time FX conversion across all supported PSPs.
Native wallet payment methods are surfaced automatically when the browser and device support them — no additional integration work required.
Strong Customer Authentication challenges are handled natively within the SDK flow. Merchants see only the final authorised or declined result.
A single normalised webhook schema regardless of which PSP processed the payment — authorised, captured, declined, refunded, or disputed.
Register for early access to PayServ Hosted Payments. Sandbox credentials, SDK documentation, and a Postman collection are issued immediately on approval.